'%20filter='url(%23b)'%20transform='translate(0%20-286)'/%3e%3cpath%20d='M1636.5%20147c-123.436%200-223.5%20102.975-223.5%20230s100.064%20230%20223.5%20230S1860%20504.025%201860%20377c-.143-126.964-100.124-229.853-223.5-230Zm107.16%20308.341c-1.892%202.323-4.973%203.231-7.78%202.295l-98.896-32.908-98.896%2032.908c-2.807.933-5.884.022-7.774-2.3-1.89-2.32-2.212-5.587-.815-8.25l101.128-192.49c1.376-2.238%203.776-3.596%206.357-3.596%202.58%200%204.981%201.358%206.357%203.596l101.128%20192.49c1.401%202.663%201.08%205.932-.81%208.255Z'%20fill='url(%23c)'%20filter='url(%23d)'%20transform='translate(0%20-286)'/%3e%3c/g%3e%3c/svg%3e)
Network bridges
A network bridge connects two Loopback networks inside the same organization so hosts in different meshes can reach each other without manually duplicating peer lists. Technically, the execution layer extends each host’s peer set with hosts from the other network after bridge creation.
Why bridges exist
Typical scenarios:
- Shared services network plus per-workspace meshes that must still reach a central bastion or artifact registry.
- Migration patterns where old and new workspaces overlap during cutover.
- Compliance segmentation where policy still requires controlled holes between segments rather than one flat mesh.
API behavior (organization scope)
Organization APIs let authorized members:
- List bridges for the organization.
- Create a bridge between two named networks plus a human-readable label.
- Read or delete a bridge by id.
Validation rules:
- Both networks must exist and belong to the same organization as the request.
- Self-bridging is rejected.
- A duplicate bridge between the same pair is rejected.
- Cross-organization bridging is forbidden.
Successful create and delete run asynchronous mesh work so agents pick up new peer relationships.
Operational notes
- Bridges are not a substitute for firewall policy; they expand reachability. Pair bridges with Firewalls when you need default deny.
- After bridge deletion, hosts may need a short interval to converge depending on agent connectivity; the destroy workflow schedules mesh refresh work to drop stale peers.